subject:"\[PATCH 06\/24\] Add a sysrq option to exit secure boot mode"

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-16 Thread Matt Fleming

On Fri, 14 Apr, at 08:05:07PM, Thomas Gleixner wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
> 
> > From: Kyle McMartin 
> > 
> > Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
> > kernel image to be modified.  This lifts the lockdown.
> > 
> > Signed-off-by: Kyle McMartin 
> > Signed-off-by: David Howells 
> > cc: x...@kernel.org
> 
> Matt, Ard?
> 
> Any opinions on this?

Looks OK to me.

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-16 Thread Matt Fleming

On Fri, 14 Apr, at 08:05:07PM, Thomas Gleixner wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
> 
> > From: Kyle McMartin 
> > 
> > Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
> > kernel image to be modified.  This lifts the lockdown.
> > 
> > Signed-off-by: Kyle McMartin 
> > Signed-off-by: David Howells 
> > cc: x...@kernel.org
> 
> Matt, Ard?
> 
> Any opinions on this?

Looks OK to me.

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread David Howells

Ard Biesheuvel  wrote:

> That does bring me to another EFI related point: many of these patches
> are x86 specific for no good reason.

Note that the sysrq one is awkward since the key chosen *is* arch-specific.
SysRq+x can't be arbitrarily assigned to this since some other arches have
their own use for it.

Anyway, the ones that are x86-specific are:

efi: Add EFI_SECURE_BOOT bit
efi: Lock down the kernel if booted in secure boot mode
Add a sysrq option to exit secure boot mode
Copy secure_boot flag in boot params across kexec reboot
x86: Lock down IO port access when the kernel is locked down
x86: Restrict MSR access when the kernel is locked down
asus-wmi: Restrict debugfs interface when the kernel is locked down

The first three are dealt with in the five patches I posted later, including
making the choice of sysrq key an arch override.  The bits that can be moved
out to the efi firmware driver have been.

The 4th looks to be x86 bootloader protocol specific.

The remainder look very x86 specific, apart from one piece in the 5th patch
where /dev/port is locked down.

David

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread David Howells

Ard Biesheuvel  wrote:

> That does bring me to another EFI related point: many of these patches
> are x86 specific for no good reason.

Note that the sysrq one is awkward since the key chosen *is* arch-specific.
SysRq+x can't be arbitrarily assigned to this since some other arches have
their own use for it.

Anyway, the ones that are x86-specific are:

efi: Add EFI_SECURE_BOOT bit
efi: Lock down the kernel if booted in secure boot mode
Add a sysrq option to exit secure boot mode
Copy secure_boot flag in boot params across kexec reboot
x86: Lock down IO port access when the kernel is locked down
x86: Restrict MSR access when the kernel is locked down
asus-wmi: Restrict debugfs interface when the kernel is locked down

The first three are dealt with in the five patches I posted later, including
making the choice of sysrq key an arch override.  The bits that can be moved
out to the efi firmware driver have been.

The 4th looks to be x86 bootloader protocol specific.

The remainder look very x86 specific, apart from one piece in the 5th patch
where /dev/port is locked down.

David

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread Ard Biesheuvel

On 14 April 2017 at 19:05, Thomas Gleixner  wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
>
>> From: Kyle McMartin 
>>
>> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
>> kernel image to be modified.  This lifts the lockdown.
>>
>> Signed-off-by: Kyle McMartin 
>> Signed-off-by: David Howells 
>> cc: x...@kernel.org
>
> Matt, Ard?
>
> Any opinions on this?
>

>From an EFI point of view, there is not a lot to see here. I think
having a SysRq to lift lockdown makes sense, although I think we
should avoid 'secure boot' when referring to lockdown because they are
really two different things. As someone else pointed out, you may have
other ways of trusting your kernel, in which case you should be able
to lock it down as well.

That does bring me to another EFI related point: many of these patches
are x86 specific for no good reason. We have been working really hard
over the past couple of years to move EFI plumbing into
drivers/firmware/efi, and things are not intimately related to an
architecture should ideally be implemented there. Looking at the
diffstat of this patch, I don't see why this should be a x86 only
feature.

In general, though, I think this should be two patches, one that
introduces the functionality to restrict some SysRq keys to console
only, and one that adds the 'x' for lockdown lift.

I haven't gotten around to responding to David's general email
regarding the point of all of this. I will do so asap, but it will
need to wait until Tuesday at least.

-- 
Ard.

On 14 April 2017 at 19:05, Thomas Gleixner  wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
>
>> From: Kyle McMartin 
>>
>> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
>> kernel image to be modified.  This lifts the lockdown.
>>
>> Signed-off-by: Kyle McMartin 
>> Signed-off-by: David Howells 
>> cc: x...@kernel.org
>
> Matt, Ard?
>
> Any opinions on this?
>
> Thanks,
>
> tglx

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread Ard Biesheuvel

On 14 April 2017 at 19:05, Thomas Gleixner  wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
>
>> From: Kyle McMartin 
>>
>> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
>> kernel image to be modified.  This lifts the lockdown.
>>
>> Signed-off-by: Kyle McMartin 
>> Signed-off-by: David Howells 
>> cc: x...@kernel.org
>
> Matt, Ard?
>
> Any opinions on this?
>

>From an EFI point of view, there is not a lot to see here. I think
having a SysRq to lift lockdown makes sense, although I think we
should avoid 'secure boot' when referring to lockdown because they are
really two different things. As someone else pointed out, you may have
other ways of trusting your kernel, in which case you should be able
to lock it down as well.

That does bring me to another EFI related point: many of these patches
are x86 specific for no good reason. We have been working really hard
over the past couple of years to move EFI plumbing into
drivers/firmware/efi, and things are not intimately related to an
architecture should ideally be implemented there. Looking at the
diffstat of this patch, I don't see why this should be a x86 only
feature.

In general, though, I think this should be two patches, one that
introduces the functionality to restrict some SysRq keys to console
only, and one that adds the 'x' for lockdown lift.

I haven't gotten around to responding to David's general email
regarding the point of all of this. I will do so asap, but it will
need to wait until Tuesday at least.

-- 
Ard.

On 14 April 2017 at 19:05, Thomas Gleixner  wrote:
> On Wed, 5 Apr 2017, David Howells wrote:
>
>> From: Kyle McMartin 
>>
>> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
>> kernel image to be modified.  This lifts the lockdown.
>>
>> Signed-off-by: Kyle McMartin 
>> Signed-off-by: David Howells 
>> cc: x...@kernel.org
>
> Matt, Ard?
>
> Any opinions on this?
>
> Thanks,
>
> tglx

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread Thomas Gleixner

On Wed, 5 Apr 2017, David Howells wrote:

> From: Kyle McMartin 
> 
> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
> kernel image to be modified.  This lifts the lockdown.
> 
> Signed-off-by: Kyle McMartin 
> Signed-off-by: David Howells 
> cc: x...@kernel.org

Matt, Ard?

Any opinions on this?

Thanks,

tglx

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-14 Thread Thomas Gleixner

On Wed, 5 Apr 2017, David Howells wrote:

> From: Kyle McMartin 
> 
> Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
> kernel image to be modified.  This lifts the lockdown.
> 
> Signed-off-by: Kyle McMartin 
> Signed-off-by: David Howells 
> cc: x...@kernel.org

Matt, Ard?

Any opinions on this?

Thanks,

tglx

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
cc: x...@kernel.org
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
cc: x...@kernel.org
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {
pr_cont("%s\n", op_p->action_msg);

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {
pr_cont("%s\n",

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {
pr_cont("%s\n", op_p->action_msg);

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {
pr_cont("%s\n",

[PATCH 06/24] Add a sysrq option to exit secure boot mode

2017-04-05 Thread David Howells

From: Kyle McMartin 

Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified.  This lifts the lockdown.

Signed-off-by: Kyle McMartin 
Signed-off-by: David Howells 
---

 arch/x86/Kconfig|   10 ++
 arch/x86/kernel/setup.c |   31 +++
 drivers/input/misc/uinput.c |1 +
 drivers/tty/sysrq.c |   19 +--
 include/linux/input.h   |5 +
 include/linux/sysrq.h   |8 +++-
 kernel/debug/kdb/kdb_main.c |2 +-
 7 files changed, 68 insertions(+), 8 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 21f39855661d..457c04971849 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1829,6 +1829,16 @@ config EFI_SECURE_BOOT_LOCK_DOWN
  image.  Say Y here to automatically lock down the kernel when a
  system boots with UEFI Secure Boot enabled.
 
+config EFI_ALLOW_SECURE_BOOT_EXIT
+   def_bool n
+   depends on EFI_SECURE_BOOT_LOCK_DOWN && MAGIC_SYSRQ
+   select ALLOW_LOCKDOWN_LIFT
+   prompt "Allow secure boot mode to be exited with SysRq+x on a keyboard"
+   ---help---
+ Allow secure boot mode to be exited and the kernel lockdown lifted by
+ typing SysRq+x on a keyboard attached to the system (not permitted
+ through procfs).
+
 config SECCOMP
def_bool y
prompt "Enable seccomp to safely compute untrusted bytecode"
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
index 85dfa745c442..a415a4817684 100644
--- a/arch/x86/kernel/setup.c
+++ b/arch/x86/kernel/setup.c
@@ -71,6 +71,11 @@
 #include 
 #include 
 
+#include 
+#include 
+#include 
+#include 
+
 #include 
 
 #include 
@@ -1330,6 +1335,32 @@ void __init i386_reserve_resources(void)
 
 #endif /* CONFIG_X86_32 */
 
+#ifdef CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT
+
+static void sysrq_handle_secure_boot(int key)
+{
+   if (!efi_enabled(EFI_SECURE_BOOT))
+   return;
+
+   pr_info("Secure boot disabled\n");
+   lift_kernel_lockdown();
+}
+static struct sysrq_key_op secure_boot_sysrq_op = {
+   .handler=   sysrq_handle_secure_boot,
+   .help_msg   =   "unSB(x)",
+   .action_msg =   "Disabling Secure Boot restrictions",
+   .enable_mask=   SYSRQ_DISABLE_USERSPACE,
+};
+static int __init secure_boot_sysrq(void)
+{
+   if (efi_enabled(EFI_SECURE_BOOT))
+   register_sysrq_key('x', _boot_sysrq_op);
+   return 0;
+}
+late_initcall(secure_boot_sysrq);
+#endif /*CONFIG_EFI_ALLOW_SECURE_BOOT_EXIT*/
+
+
 static struct notifier_block kernel_offset_notifier = {
.notifier_call = dump_kernel_offset
 };
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 022be0e22eba..4a054a564636 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -387,6 +387,7 @@ static int uinput_allocate_device(struct uinput_device 
*udev)
if (!udev->dev)
return -ENOMEM;
 
+   udev->dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
udev->dev->event = uinput_dev_event;
input_set_drvdata(udev->dev, udev);
 
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index c6fc7141d7b2..0c96cf60f1a6 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -481,6 +481,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
/* x: May be registered on mips for TLB dump */
/* x: May be registered on ppc/powerpc for xmon */
/* x: May be registered on sparc64 for global PMU dump */
+   /* x: May be registered on x86_64 for disabling secure boot */
NULL,   /* x */
/* y: May be registered on sparc64 for global register dump */
NULL,   /* y */
@@ -524,7 +525,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op 
*op_p)
 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, bool check_mask)
+void __handle_sysrq(int key, unsigned int from)
 {
struct sysrq_key_op *op_p;
int orig_log_level;
@@ -544,11 +545,15 @@ void __handle_sysrq(int key, bool check_mask)
 
 op_p = __sysrq_get_key_op(key);
 if (op_p) {
+   /* Ban synthetic events from some sysrq functionality */
+   if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
+   op_p->enable_mask & SYSRQ_DISABLE_USERSPACE)
+   printk("This sysrq operation is disabled from 
userspace.\n");
/*
 * Should we check for enabled operations (/proc/sysrq-trigger
 * should not) and is the invoked operation enabled?
 */
-   if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
+   if (from == SYSRQ_FROM_KERNEL || 
sysrq_on_mask(op_p->enable_mask)) {
pr_cont("%s\n", op_p->action_msg);

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

[PATCH 06/24] Add a sysrq option to exit secure boot mode

14 matches

Site Navigation

Mail list logo

Footer information